Kerberos: An Authentication Service for Open Network Systems

J. G. Steiner, C. Neuman, J. I. Schiller

What is Kerberos?

• Trusted third-party authentication service

• Requirements:– Secure (Private Key Encryption)– Transparent (Tickets)– Scalable (Replication)– Reliable

Kerberos Authentication Protocols

Kerberos

Client

Server

TGS

Security

Transparency

• Tickets are reusable (authenticators are not)– {s,c,addr,timestamp,life,KS,C}KS

• Ticket-granting ticket can occur at login – (8 hour lease), kinit for new TGT

• Library calls: – krb_mk_req, krb_rd_req, krb_mk_prv, krb_rd_prv

Scalability & Reliability

• Slave (Read Only) Authentication Databases

• Master Kerberos DB used for (Write) Administration Requests– Entire DB is propagated every hour

• Common transactions can take place with replicated (Slave) servers

Open Issues & Questions

• Ticket Lifetime? (Short-term Playback)

• Integrity of workstation programs?

• Scalability between realms?

• Centralized authentication with Private-Key encryption advantages/disadvantages over Public-Key?